Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

And condition

Pravinsugi
Path Finder
‎12-03-2023 06:01 AM

I have below message in the splunk log

 

Ex : s1 event has been received for customer 15778

S2 event has been received for customer 15778

S3 event has been received for customer 15778

 

I want to check all S1,S2,S3 event has been received message present in the particular customer.i used AND condition but not able to achieve.plesse help me on this.

As per my scenario,if i have 1 lakhs customer, i want to check for all 3 events has been received mesage is present in the splunk log for one particular customer.if not present all 3 mesage i need to set up alert.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2023 07:09 AM

Assuming customer and event have already been extracted

| stats values(event) as events by customer
| where NOT (events = "s1" AND events = "s2" AND events = "s3")
0 Karma
Reply

Pravinsugi
Path Finder
‎12-03-2023 07:22 AM

How to extract customer number ?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2023 07:24 AM 
| rex "customer (?<customer>\d+)"
0 Karma
Reply

Pravinsugi
Path Finder
‎12-03-2023 07:29 AM

I have below query .how to include into result query.pls advise

 

 

Need to include this one into result query

| stats values(event) as events by customer | where NOT (events = "s1" AND events = "s2" AND events = "s3")

Result query:

(index=1 sourcetype="abc" "s1 event received" and "s2 event received" and "s3 event received") OR (index=2 sourcetype="xyz" "created") | rex "(?<e_type>s.) event received for (?<customer>\d+)" | rex "(?<created>created) for (?<customer>\d+)" | stats max(eval(if(e_type="s3",_time, null()))) as last_e_type max(eval(if(created="created", _time, null()))) as created_time dc(e_type) as e_types values(created) as created by customer | addinfo | where e_types=3 AND (created_time-last_e_type > 300 OR (isnull(created_time) AND info_max_time - last_e_type > 300)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2023 07:37 AM

It depends on what you are trying to do since this search seems to be the opposite of what you had previously said you were trying to do.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2023 07:04 AM

The AND operator works within a single event.  To combine multiple events you need to use an aggregating command.  Assuming the customer number has been extracted into a field called "customer" then this will trigger an alert if any customer does not have all three events.

<<some search for S1, S2, and S3>>
| stats count by customer
| where count < 3

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Pravinsugi
Path Finder
‎12-03-2023 07:22 AM

How to extract customer number from the event .pls advise 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...